angryserver – WindowsTechs.com

Can someone with access to only my Yubikey gain access to my server that has SSH access via an ED25519-sk keypair?

Posted on May 8, 2023 by angryserver

My understanding is that an ED25519-sk SSH key generated by OpenSSH generates a private key stub that lives on your host machine. This stub is just a reference to the actual private key that lives on the actual hardware key itself.
My unde… Continue reading Can someone with access to only my Yubikey gain access to my server that has SSH access via an ED25519-sk keypair?→

Does AWS security group block unintentionally exposed ports from Docker?

Posted on October 24, 2022 by angryserver

My typical cloud server hardening includes blocking ports at the UFW level on the server as well as at the AWS security group level.
I recently learned that Docker overwrites your IPTables. Given that, I had previously blocked a port x wit… Continue reading Does AWS security group block unintentionally exposed ports from Docker?→

Why should I re-generate a server’s SSH host keys?

Posted on October 9, 2022 by angryserver

This server hardening guide suggests re-generating the RSA and ED25519 host keys. What is the advantage of re-generating the default key?

Continue reading Why should I re-generate a server’s SSH host keys?→

Why should I disable insecure SSH hostkeys if I never plan on using them?

Posted on October 9, 2022 by angryserver

A number of articles suggest removing insecure (broken) SSH key types in order to have a more secure server. In practice, if I only connect to the server with secure key types, why should I bother deleting insecure key types? What is a pra… Continue reading Why should I disable insecure SSH hostkeys if I never plan on using them?→

Is the EC2 console "connect" button the only way to get access to a new EC2 instance if you do not attach a key to it? [closed]

Posted on September 30, 2022 by angryserver

When creating an EC2 instance, there is an option to not add an SSH key to the server. When this option is selected, you can still access the server via the EC2 UI by clicking "connect".
Is there any other way to access a new ser… Continue reading Is the EC2 console "connect" button the only way to get access to a new EC2 instance if you do not attach a key to it? [closed]→

When I encrypt a file with gpg, am I encrypting it with a key that lives on my local machine? [closed]

Posted on September 29, 2022 by angryserver

I can encrypt a file with gpg in the following manner:
gpg –symmetric –cipher-algo AES256 ./test.txt
This allows me to encrypt the file with a password. Does this also use a key I have locally, or is it strictly encrypted with the passwo… Continue reading When I encrypt a file with gpg, am I encrypting it with a key that lives on my local machine? [closed]→

When hardening my SSH key, why would I use yubikey-agent instead of the built-in `-sk` key type native to OpenSSH?

Posted on September 28, 2022 by angryserver

OpenSSH 8.2 added -sk key types that allow for FIDO/U2F hardware authenticators (like a YubiKey, etc.)
yubikey-agent allows for the same functionality, except it (a) requires an additional client on top of OpenSSH, and (b) is scoped to onl… Continue reading When hardening my SSH key, why would I use yubikey-agent instead of the built-in `-sk` key type native to OpenSSH?→